Open Source Security forFederal Government Applications

Today’s application landscape is complex, and for federal government agencies, maintaining security through that complexity is paramount. Untracked open source code, and the vulnerabilities that can come with it, compromises security and exposes your organization and constituents to significant risk.

With recent open source use mandates for government agencies, as well as strategic plans for federal cybersecurity, it’s imperative that you have an established set of tools and automated processes to detect and manage open source security risks in your applications.

Constant Threat and Persistent Security

Government data is a constant target for malicious activity by both individual and state-sponsored hackers. Recent reports from the FTC and Verizon find that government applications face significant and unrelenting attacks, making them the target of the greatest number of cyber incidents and breaches across industry sectors.

The goal for developers, established by the National Science and Technology Council (NSTC) is to ensure application security and risk management practices make the cost of an attempted attack greater than the potential benefit of a breach. But open source vulnerabilities, which are often widely publicized, make attacks inexpensive. By proactively tracking and managing open source vulnerabilities, you turn the security economics in your favor.

A Measure of Success

Federal mandates and strategic initiatives outline the criteria needed to successfully
achieve target levels of application security, deter security hackers,
and encourage the proliferation of software across the federal government.

100K

target for lines of code per defect in government applications

2019

20%

or more of agency code must be released as open source

Eliminating Vulnerabilities in Government Software

What makes attacks so inexpensive? Unpatched or unidentified vulnerabilities in applications’ code are easily exploited. With open source components comprising 50% or more of a typical application, a vulnerability in one component can be used to compromise hundreds or thousands of applications. In fact, a recent Department of Homeland Security report estimates that 90 percent of security incidents result from exploits against defects in software.

Effective detection and remediation of vulnerabilities in open source components has a material impact on deterring adversaries and preventing a successful attack. Yet the presence of untracked open source components in government applications represents a serious threat: you can’t defend against threats you don’t track.

When we built our business case for bringing in Black Duck, our internal information security group was a co-sponsor of the effort. This group now has a significantly easier way to determine which artifacts and versions are affected by any security vulnerability and which applications are impacted as a result. This capability did not exist before, so this is huge.

- Kostas Gaitanos, Senior Director of Development Services, FINRA

Simplifying Open Source Application Security Management for the Federal Government

Black Duck solutions for open source application security and license compliance provide a complete, single pane of glass view into open source risks in your applications. Black Duck solutions:

Identify and inventory open source components used in your applications.

Map components to known open source vulnerabilities.

Monitor for and alert on new vulnerabilities which impact your applications.

Automate and integrate open source governance into your development tools and processes.

Deliver powerful risk and remediation insight to security teams.

Black duck products and services are available for purchase off of Carahsoft's GSA contracts and Carahsoft's NASA SEWP contracts.